CAS-003 Free Practice Test

During a routine network scan, a security administrator discovered an unidentified service running on a new embedded and unmanaged HVAC controller, which is used to monitor the company's datacenter
Port state 161/UDP open 162/UDP open 163/TCP open
The enterprise monitoring service requires SNMP and SNMPTRAP connectivity to operate. Which of the following should the security administrator implement to harden the system?

1. A. Patch and restart the unknown services.
2. B. Segment and firewall the controller's network
3. C. Disable the unidentified service on the controller.
4. D. Implement SNMPv3 to secure communication.
5. E. Disable TCP/UDP PORTS 161 THROUGH 163

Correct Answer: D

A team is at the beginning stages of designing a new enterprise-wide application. The new application will have a large database and require a capital investment in hardware. The Chief Information Officer (?IO) has directed the team to save money and reduce the reliance on the datacenter, and the vendor must specialize in hosting large databases in the cloud. Which of the following cloud-hosting options would BEST meet these needs?

1. A. Multi-tenancy SaaS
2. B. Hybrid IaaS
3. C. Single-tenancy PaaS
4. D. Community IaaS

Correct Answer: C

A security analyst, Ann, states that she believes Internet facing file transfer servers are being attacked. Which of the following is evidence that would aid Ann in making a case to management that action needs to be taken to safeguard these servers?

1. A. Provide a report of all the IP addresses that are connecting to the systems and their locations
2. B. Establish alerts at a certain threshold to notify the analyst of high activity
3. C. Provide a report showing the file transfer logs of the servers
4. D. Compare the current activity to the baseline of normal activity

Correct Answer: D
In risk assessment a baseline forms the foundation for how an organization needs to increase or enhance its current level of security. This type of assessment will provide Ann with the necessary information to take to management.
Incorrect Answers:
A: Reports of IP addresses that connect to the systems and their locations does not prove that your servers are being attacked; it just shows who is connecting.
B: High activity does not necessarily mean attacks being carried out.
C: Logs reveal specific activities and the sequence of events that occurred. The file transfer logs of the servers still have to be compared to a baseline of what is normal.
References:
Gregg, Michael, and Billy Haines, CASP CompTIA Advanced Security Practitioner Study Guide, John Wiley & Sons, Indianapolis, 2012, pp. 210, 235

A company is transitioning to a new VDI environment, and a system engineer is responsible for developing a sustainable security strategy for the VDIs.
Which of the following is the MOST appropriate order of steps to be taken?

1. A. Firmware update, OS patching, HIDS, antivirus, baseline, monitoring agent
2. B. OS patching, baseline, HIDS, antivirus, monitoring agent, firmware update
3. C. Firmware update, OS patching, HIDS, antivirus, monitoring agent, baseline
4. D. Baseline, antivirus, OS patching, monitoring agent, HIDS, firmware update

Correct Answer: A

Company policy requires that all company laptops meet the following baseline requirements: Software requirements:
Antivirus
Anti-malware Anti-spyware Log monitoring
Full-disk encryption
Terminal services enabled for RDP Administrative access for local users Hardware restrictions:
Bluetooth disabled FireWire disabled WiFi adapter disabled
Ann, a web developer, reports performance issues with her laptop and is not able to access any network resources. After further investigation, a bootkit was discovered and it was trying to access external websites. Which of the following hardening techniques should be applied to mitigate this specific issue from reoccurring? (Select TWO).

1. A. Group policy to limit web access
2. B. Restrict VPN access for all mobile users
3. C. Remove full-disk encryption
4. D. Remove administrative access to local users
5. E. Restrict/disable TELNET access to network resources
6. F. Perform vulnerability scanning on a daily basis
7. G. Restrict/disable USB access

Correct Answer: DG
A rootkit is a collection of computer software, typically malicious, designed to enable access to a computer or areas of its software that would not otherwise be allowed (for example, to an unauthorized user) while at the same time masking its existence or the existence of other software. A bootkit is similar to a rootkit except the malware infects the master boot record on a hard disk. Malicious software such as bootkits or rootkits typically require administrative privileges to be installed.
Therefore, one method of preventing such attacks is to remove administrative access for local users. A common source of malware infections is portable USB flash drives. The flash drives are often plugged into less secure computers such as a user’s home computer and then taken to work and plugged in to a work computer. We can prevent this from happening by restricting or disabling access to USB devices.
Incorrect Answers:
A: Using a group policy to limit web access is not a practical solution. Users in a company often require Web access so restricting it will affect their ability to do their jobs.
B: Rootkits or Bootkits would not be caught by connecting to the network over a VPN so disabling VPN access will not help.
C: Removing full-disk encryption will not prevent Bootkits.
E: Bootkits are not caught by connecting to network resources using Telnet connection so disabling Telnet access to resources will not help.
F: Performing vulnerability scanning on a daily basis might help you to quickly detect Bootkits. However, vulnerability scanning does nothing to actually prevent the Bootkits.
References: https://en.wikipedia.org/wiki/Rootkit